[SOLVED] Jails under OPNsense 22.1 ?

[ajm]

For reasons of saving power/rackspace/network ports, I'm considering co-locating a couple of additional services, which aren't available as 'plugins', on the same physical box which will be running OPNsense.

I want to run OPNsense on the metal not as a VM. I don't want to custom compile the packages to run directly on OPNsense. As I already have an investment in jails to run some services elsewhere on the network, I want to look at the option of hosting jails under OPNsense. These would be held on a physically separate zfs pool, dedicated to the jails and data. (OPNsense will of course be under ZFS/BE, on the boot disk.)

I'm not hugely experienced in all this, but my understanding is that so long as I stick with the same ABI OPNsense is using (13.0-STABLE), I should be able to create a base jail using the stock FreeBSD distribution .txz's, and clone my service jail(s) off that. The services would be installed and maintained as stock FreeBSD packages. Does that sound feasible ?

For networking, although the hardware has enough interfaces to give the jail its own physical interface, I would prefer to connect the jails via VNET into OPNsense. I'd be very interested to hear of any experiences with this, and particularly if there are any showstoppers !

[franco]

Yes, run FreeBSD 13 based jails in there, preferably 13.0-RELEASE at the moment. 13.1-RELEASE when this comes out. As we will probably stay on 13.1-RELEASE when it becomes available 13.2-RELEASE inside it might not work and package updates for older versions will go stale.


Cheers,
Franco

[ajm]

Thanks for that ! Very helpful.

I'll have a go with it on my proof-of-concept box and see how I get on. TBH it's the networking side of it I feel more challenged by, I'm sure it'll be good learning experience at the very least.

[franco]

The standard networking situation should apply although it might be that the core needs small adjustments to support it seamlessly (e.g. configuring the epair(4) device on the host side) so traffic can flow directly.


Cheers,
Franco

[ajm]

Just a quick update to confirm my jails under OPNsense 22.1 are up and running. Mostly I was able to follow the typical approach used under FreeBSD.

I can now host additional services, sandboxed away from OPNsense, using stock FreeBSD, free to use whatever I need to without having to worry about impact on the firewall or dealing with upgrades etc outside my control.

There were just a couple of syshook scripts needed to create the 'epair' interfaces, and also to mount the ZFS pool on a 2TB SSD I'm using, which for reasons unknown at this time could not be automounted at boot.

If any readers want to have a go at this let me know and I can forward the details.

[vnxme]

If any readers want to have a go at this let me know and I can forward the details.

I would be grateful if you could share a step-by-step guide how to setup a jail under OPNsense 22.1. Did you setup a bridge interface on the host system? What tool (if any) do you use to manage your jails? Which services did you put into jails (just collecting ideas)?

[ajm]

See link below for a quick-and-dirty 'HOWTO'.

Re. jail management tools, for this simple setup the stock commands were adequate, and didn't justify use of 'IOcage' or 'EZjail'. There's a bit of a question-mark over the maintenence of these packages.

https://forum.opnsense.org/index.php?topic=26975.0

HTH, Andy

[franco]

ajm, if you don't mind can you post in tutorials section and link from here to there? this way I can sticky this very helpful writeup.


Thank you,
Franco

[franco]

Andy, stickied as promised. Thanks!

[ajm]